Day: March 27, 2023

Categories
Uncovering Hidden Risks

Ep 5 – Tips for Internal Investigations While Maintaining Privacy

Randyll Newman, Supervisor of Student Data and Information Security for Prince William County Public Schools in Virginia, joins host Erica Toelle and guest host Christophe Fiessinger on this week’s episode of Uncovering Hidden Risks. Randyll oversees the planning, operation, and management of security for the school division’s network infrastructure, data, and student information systems. He also served 10 years as a police officer and detective in Fairfax County, Va., retiring from the United States Naval Reserves after serving 26 years. Randyll discusses how organizations approach internal investigations, how important it is to maintain privacy for students and faculty during these investigations, and examples from previous case studies.

In This Episode You Will Learn:
  • Prince William County Public Schools’ reputation for innovative education
  • How important it is to maintain privacy for students and faculty
  • Business requirements for internal investigations
  • Considerations and adherence to regulatory compliance: Family Educational Rights and Privacy Act (FERPA); and Children’s Internet Protection Act (CIPA)
  • Tips and advice for other organizations
Some Questions We Ask:
  • What principles guided the initiative to ensure user privacy?
  • Can you outline the privacy principles you follow during investigations?
  • How did you design the technical solution to meet these business requirements?
Resources:

For more background, read the PWCS Case Study

View Randyll Newman on LinkedIn

View Christophe Fiessinger on LinkedIn

View Erica Toelle on LinkedIn

Related Microsoft Podcasts:          

Listen to: Afternoon Cyber Tea with Ann Johnson 

Listen to: Security Unlocked

Listen to: Security Unlocked: CISO Series with Bret Arsenault

Discover and follow other Microsoft podcasts at microsoft.com/podcasts

Uncovering Hidden Risks is produced by Microsoft and distributed as part of The CyberWire Network. 

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for Business Ventures-Franchisor Compliance

Most franchisors have thorough financial vetting requirements before allowing any person or business to become a franchisee. However, how many of these same businesses perform compliance due diligence on their prospective overseas franchises? How many U.S. franchisors have compliance training programs? How many evaluate, on an ongoing basis, the compliance program of their overseas franchisees? How many U.S. franchisors have a compliance hotline or other reporting mechanism for any compliance violations made against their franchisees?

Some issues include health and wage compliance officials who may appear during routine health inspections or local wage and hour compliance determinations; intellectual property officials, as maintaining intellectual property rights is critical for any franchise model; utility officials as every franchise operation needs power maintained; and government procurement officials if the franchise is selling to a foreign government or state owned enterprise.
How would all of this play out for a franchisor? As a franchisor moves into foreign markets there could well be the temptation to “grease the skids” and make payments or offer gifts to government officials, or their family members, to get the permits or permissions necessary to open and operate. In many countries, bribery is a common way of getting business done, and there can be tremendous pressure from local agents or franchisee candidates to follow regional customs and use bribes to become or remain competitive. Even if it is not the U.S. franchisor’s own employees that engage in the FCPA violations, the U.S. franchisor will still face the risk of an enforcement action if the franchisee’s employees engage in such conduct.
Three key takeaways: 

  1. Franchises can bring an unexpected level of FCPA exposure.
  2. Franchisors must have more than financial vetting for potential franchisees.
  3. Use your compliance tool kit for business ventures in managing the FCPA risk for franchises.
Categories
Coming Conflict with China

Coming Conflict with China: Part 1-From Potential Conflict to Real Danger

In the short span of the 21st Century, the world’s two top powers, the United States and China, have moved inexplicably toward a showdown. This evolved from a commercial competition into something more akin to permanent non-kinetic warfare. What does this mean for US business doing business in and with China? In this special 5-part podcast post series, Tom Fox and Brandon Daniels, CEO of Exiger, a global leading third-party and supply chain management software company, explore issues diverse as a real danger, supply chain, exports, cyber-attacks, and IP theft from the business perspective and give the compliance and business executive their viewpoints on what you can do to not only prepare your company but protect it as well. In Part I, from potential conflict to real danger.

Are your relationships headed toward conflict or real danger? Find out in this first episode of this special 5-part podcast series. In this series, Tom is joined by Brandon Daniels, who is an advocate for free markets and democracy and is passionate about providing transparency to the global corporate ecosystem. As this podcast series was being recorded, Chinese authorities arrested employees of the Mintz Group in Beijing. The Mintz Group is a well-known and well-respected international investigations firm. This is one more step in the increasing opacity of the Chinese market. They consider the economic battle being lost to Chinese companies due to their coercive tactics. How do cheap bids pose national security risks? Explore these topics and more in this episode.

Key Quote- Brandon Daniels

“Don’t just go with the cheap bid. Pay attention to the national security risk that a cheap bid from one of these Chinese companies could mean to your business and think differently about how you establish security in critical products.”

 Key Takeaways

  1. What is the Chinese government doing to increase opacity in the Chinese market, and how is this impacting global free markets?
  2. How is the Chinese government manipulating the economics of the global market, and what implications does this have for businesses?
  3. What strategies and approaches can businesses take to ensure security and diversity in their supply chain?

 Resources

Exiger

Tom Fox

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

Categories
The Ethics Experts

Episode 145 – Dr. Steven Mintz

 

In this episode of The Ethics Experts, Nick welcomes Dr. Steven Mintz. Dr. Steven Mintz is an emeritus professor from Cal Poly, San Luis Obispo. He is known as the “Ethics Sage” for his blogs, opinion pieces, and media interviews on ethics issues. He has also published a textbook on accounting ethics, Ethical Obligations and Decision Making in Accounting: Text and Cases, which is used in more than 40 universities worldwide.
https://www.stevenmintzethics.com/
https://www.linkedin.com/in/steven-mintz-aka-ethics-sage-98268126/
https://twitter.com/ethicssage?lang=en

Categories
Blog

Coming Conflict with China-Business Challenges and Responses: From Potential Conflict to Real Danger

In the short span of the 21st Century, the world’s two top powers, the United States and China, have moved inexplicably toward a showdown. This evolved from a commercial competition into something more akin to permanent non-kinetic warfare. What does this mean for US business doing business in and with China? For this special 5-part blog post series, I visited with Brandon Daniels, CEO and President of Exiger, to explore issues diverse as a real danger, supply chain, exports, cyber-attacks, and IP theft from the business perspective and give the compliance and business executive their viewpoints on what you can do to not only prepare your company but protect it as well. In Part I, from potential conflict to real danger.

It is time to ask some tough questions and come up with robust responses to the challenges. With China’s increasing attempts to subvert the US economy, decrease transparency of its business practices, and the use of its blocking statutes that protect its companies from US laws, the situation is becoming increasingly challenging. What steps can you take to safeguard yourself and your business? Join us to explore these questions and more in this special series.

Here are the steps you should follow to begin to think your organization’s business and operational security.:

  1. Identifying potential threats and risks in the global business and commerce ecosystem.
  2. Developing a strategy to diversify the global supply chain to mitigate risks and increase security.
  3. Finding alternate sources of supply and production in different countries to create redundancy and increase diversity.

1.Identifying potential threats and risks

Identifying potential threats and risks in the global business and commerce ecosystem requires an understanding of how geopolitical tensions and economic coercion can impact businesses and markets. When looking at the arrests of Mintz’s Group employees in Beijing and the potential for China to subvert our global free market, it is important to consider how Chinese investments in critical technologies, like battery plants, and their control of resources, like cobalt and copper, could be used to manipulate the market. It is also important to be aware of China’s attempts to restrict access to economic policies, like tariffs, that make it cheaper to manufacture in China than in Vietnam or Malaysia. It is important to consider the impact of China’s annexing of other countries, their blocking statutes, and their potential to use Uighur forced labor in their garment industry, all of which could lead to human rights issues. By understanding the potential threats and risks, businesses can be better prepared to put appropriate measures in place to protect their data, their people, and their customers.

  1. Developing a strategy to diversify your global supply chain 

Developing a strategy to diversify the global supply chain to mitigate risks and increase security is a crucial step in mitigating potential risks associated with China’s increasing adversarial activity. To ensure the safety and security of a company’s supply chain, it is important to diversify its sources of supply, especially for critical infrastructure such as logic bearing circuitry and pharmaceutical ingredients. Your organization should think twice before accepting a cheap bid from a Chinese company and instead diversifying to sources from countries such as Japan, South Korea, the United Kingdom, and the United States. By diversifying supply chain sources, companies can ensure that they are not over-dependent on any one country, and can also take advantage of premium pricing that comes with diversity, security and redundancy in their commerce.

  1. Finding alternate sources of supply and production

Finding alternate sources of supply and production in different countries to create redundancy and increase diversity is an important step in mitigating risk in a highly unpredictable geopolitical environment. To do this, you should start by looking into local manufacturing capabilities and taking the opportunity to support companies from other countries, such as Japan, Korea, the UK, the US, Mexico, and Canada. These countries may be more reliable in their political stability and may offer a premium for the security that comes with diversity. Additionally, it is important to investigate the state of the industries in these countries and what investments they are making. For example, Japan is investing heavily in their electronics sector, Korea in semiconductors, and the US and Canada in AI. To ensure your business is protected, you should also consider investing in a backup plan in case of disruption from your current source. This could involve researching other suppliers, negotiating contracts with them, and training staff and operations to use them. By investing in these alternate sources and plans, you will be able to create redundancy and increase diversity in your supply chain, ultimately making your business more secure.

The importance of identifying potential threats and risks in the global business and commerce ecosystem and developing a strategy to diversify the global supply chain to mitigate risks and increase security cannot be overstated. You should be working to find alternate sources of supply in different countries to create redundancy and increase diversity. By taking the necessary steps to understand the potential risks of doing business with China, businesses can be better prepared to protect their data, their people, and their customers. Opaqueness is the foe of transparency.  With the right knowledge and strategy, you too can ensure the safety and security of your business.

For a deeper dive into these issues, check out the 5-part podcast series with Tom Fox and Brandon Daniels, here.

Categories
Corruption, Crime and Compliance

DOJ Issues New Compliance Guidance and Focus on Corporate Compliance Systems

The Justice Department is raising the bar on corporate compliance, and Michael Volkov believes we are witnessing a watershed moment. In this episode of Corruption, Crime and Compliance, he explains the significant revisions to the evaluation of corporate compliance programs, the new corporate enforcement policy, and the criminal division’s three-year pilot program on compensation incentives and clawback. 

Some of the ideas discussed in this episode include:

  • DOJ is raising expectations for corporate compliance programs and incentivizing ethical behavior.
  • Companies must implement effective employee reporting systems, conduct timely internal investigations, and hold bad actors and weak supervisors accountable for their failures.
  • DOJ is frustrated with the lack of cooperation between HR and compliance departments and seeks to promote a new era of compliance cooperation and operationalization.
  • The evaluation of corporate compliance programs now includes a new section entitled Compensation Structures and Consequence Management, which mandates the design and implementation of compensation schemes to foster a compliance culture.
  • DOJ’s three-year pilot program for corporate compensation systems and clawbacks aims to reduce the burden on corporate shareholders and punish individual wrongdoers.
  • Companies need to bring together senior leadership, business leaders, legal and compliance, and human resources to build together a set of incentives, disincentives and other structural changes to promote an ethical culture of compliance.
  • DOJ expects companies to implement an effective employee reporting system. The updated guidelines provide specific guidance on how that reporting system ties into the overall advancement of the corporate culture, timely internal investigations, careful root cause analyses, and a new term consequence management.
  • Companies can earn a fine reduction when they seek to recoup compensation from culpable employees, and prosecutors will have discretion in how to fashion the requirements for the compliance-related compensation and bonus systems.
  • DOJ’s new policy includes important requirements for preservation of data from messaging applications and texting systems, and companies need to tailor communications data preservation policies to the specific risk, profile, and needs of their business.

 

KEY QUOTES:

“DOJ’s intent here is just unmistakable. Companies have to monitor, detect, and prevent future wrongdoing, and they have to hold bad actors and weak supervisors accountable for their failures.” – Michael Volkov

 

“To the extent that compliance and HR departments fail to coordinate and fight over turf, companies will face increased risks of a defective ethics and compliance program, employee misconduct rates will rise, and government investigation risks will rise as well.” – Michael Volkov

 

“Finally, with respect to risk management, companies have to ensure that they are appropriate consequences to executives and employees who fail to comply with communications and data preservation requirements. ” – Michael Volkov

 

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
All Things Investigations

All Things Investigations: Episode 24 – The Information and Communications Technology and Services Rule with Tyler Grove and John Hannon

In this episode of All Things Investigations, we’re tackling a rule that every business executive and compliance officer needs to be aware of. It’s the IT Supply Chain Security Rule, and it authorizes the US Department of Commerce to review transactions involving property or services subject to US jurisdiction that come from foreign countries deemed as foreign adversaries, such as China and Russia. Joining host Tom Fox are Tyler Grove and John Hannon, who co-wrote a paper on this rule. They discuss the implications of the rule, its impact on trade with China and other countries, and what businesses need to know to stay compliant.

Tyler Grove is a partner at Hughes, Hubbard and Reed, specializing in sanctions, export controls, and foreign direct investment review. John Hannon is an associate at the same firm and works with Tyler in the International Trade Group, focusing on export controls and sanctions, as well as commercial litigation.

 

Some of the ideas discussed in this episode include:

  • The IT Supply Chain Security Rule gives the US Department of Commerce powers similar to those of CFIUS to review transactions and require mitigating action up to and including unwinding certain transactions if national security concerns are identified.
  • The rule applies to a broad range of products, including internet-connected software, data hosting and cloud services, networking equipment, internet-connected cameras, and potentially drones.
  • While it’s still early in the enforcement process, there could be indirect impacts on trade with China and other countries due to third-party partners refusing to engage in transactions for reputational reasons or otherwise.
  • Commerce has requested approximately $36 million to hire 114 positions dedicated to ICTS administration and enforcement, indicating that there will be more reviews and enforcement in the near future.
  • The ICTS rule targets companies that are headquartered or sending products from foreign adversary jurisdictions and aims to prevent these companies from acquiring US technology that could be used for national security purposes.
  • Companies that fall within the scope of the ICTS rule should conduct a risk assessment to identify any potential national security concerns that Commerce may have and form a response plan for internal stakeholders in the event of an enforcement matter.

 

KEY QUOTES

“There are some significant differences between the ICTS and CFIUS regimes. First, CFIUS regime allows at-risk companies to proactively seek review and clear their transactions. Although there is a proposed licensing procedure for this ICTS regime, it has not become effective yet.” – John Hannon

 

 “I think the clientele and types of target companies may dictate the regulatory attitude.” – John Hannon

 

“I think at this point we really are advising companies that are at risk to try to be proactive, think about ways that they could get ahead of potential ICTS enforcement action. Probably the very first place to start there is to conduct a risk assessment where a company would look at their products at the supply chain.” – Tyler Grove

 

“As we’ve mentioned a couple of times already, this rule is very much in the early stages right now, and so it’s almost certain that additional guidance will be forthcoming in the near future.” – Tyler Grove

 

Resources:

Hughes Hubbard & Reed website

Tyler Grove on LinkedIn

John Hannon on LinkedIn

Categories
FCPA Compliance Report

Erica Salmon Byrne on 2023 World’s Most Ethical Companies

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, I am joined Erica Salmon Byrne, President of Ethisphere, to discuss the World’s Most Ethical Companies awards. Byrne explains the evaluation process and what types of areas are investigated. She highlights how the list has fluctuated over the years and the importance of a company’s people practices. Through the cross functional scorecard, companies can measure their performance compared to a global index.

We discuss the importance of “ethics premium” and the scorecard process. To measure the value of a company’s people practices, the survey demonstrated an outperformance of 13.6% against a comparable global index. Byrne also gives information to listeners on where to find more information on the world’s most ethical companies. Tune into this episode of the FCPA Compliance Report and learn more about the World’s Most Ethical Companies. 

Key Highlights

  1. What is the World’s Most Ethical Companies® recognition?
  2. How long has Ethisphere recognized the World’s Most Ethical Companies?
  3. What are criteria Ethisphere considers during the evaluation process? What is the evaluation framework.
  4. What are the benefits of applying for the World’s Most Ethical Companies?
  5. Even if a company is not selected, what are some of the benefits?
  6. What is the Ethics Premium and what was the 2023 Ethics Premium? 

 Notable Quotes

“What does the recognition itself mean? So, you know, it’s  really interesting, Tom. Because I I’ve asked a lot of honorary companies about that. And I  particularly liked the way 1 company phrased it to me when I was talking to them last week, and they said, look, there are lots and lots of times that companies get recognized for messing up.”

“We’re looking at the ways you are thinking about, your impact on the communities in which you operate. We are looking at your ethics and compliance program initiatives. We’re looking at the way you are governing your programs both at the board level and at the C suite level. We’re looking at your leadership and your reputation.”

“I’ve had multiple compliance officers tell me that their best self-assessment work is just reading the red line of our survey every year and asking themselves would I answer this new question from Ethisphere?”

“Are there questions on this survey I can’t answer without going and speaking to somebody else? Do I know who that person is? And if not, why not? Because all of those relationships are critical relationships to operating your program well.”

 Episode Links

World’s Most Ethical Companies